Privacy Policy

Privacy Commitment

The Electronic Privacy Information Center (“EPIC,” “we,” “our,” or “us”) is strongly committed to protecting your privacy rights. As part of that commitment, we want to be as transparent and clear as possible regarding what information about you that we process (“processing” includes collecting, analyzing, reviewing, updating, storing, and sharing), what we use it for, and any third-party services we use on our website. We process as little of your personal data as possible.

We do not sell or rent any personal data that we process about you. Certain actions, such as donating to us or signing up for a newsletter, require processing by third parties and any personal data that you submit for these purposes will redirect to them and be governed by their privacy policies. These are listed and described in the “Third Parties” section below. We also intend to challenge any subpoena or other legal process seeking access to personal data that we hold about our website visitors, donors, email recipients, or petition/campaign participants.

Controllership

EPIC is the controller for all personal data processed for the purposes below. This means that we determine the purposes for which the personal data will be processed and respond to any questions or requests you have about the personal data. In some cases, third parties may process your personal data in order to assist us in fulfilling the processing purposes. These cases are described below. Where this occurs, the third party acts as a data processor and EPIC remains the data controller. The third parties process the data only at our instructions and for the specific purposes listed.

Personal Data

Personal data means any information that identifies you as an individual. This includes your name, email address, pictures of you, personal device ID, location, and more. EPIC collects only personal data necessary to allow you to access our website, donate to us, participate in petitions or campaigns, or receive EPIC email alerts. Below, we tell you what precise personal data elements are collected in each instance, what the personal data is used for, and the processing basis. You always have a choice of whether to provide us with your personal data, but we may be unable to provide certain services to you without it (for example, we cannot send you email alerts without your email address).

Website

EPIC makes information on its website freely available to Internet users without storing any personal data. We do not enable any cookies other than those strictly necessary to process your information for requested services (for example, if you click on a link in order to donate to EPIC) or for website functionality. Any third party cookies – such as those used to process a donation – are solely for completing the requested action. We do not allow any tracking or advertisement cookies on our website. You may be able to change your browser setup to limit or reject cookies as well. For more information, please visit https://www.aboutcookies.org/.

Donations

Personal Data Elements: In order to process your donation, we will process financial information, billing address, email address, and name if submitted. (EPIC also allows anonymous donations using major cryptocurrencies.)

Purpose(s): EPIC only processes the personal information necessary to process donations to EPIC, to send updates and fundraising requests to our donors, and to comply with applicable laws.

Processing Basis: Your personal data is processed regarding EPIC’s donation list solely as is necessary for our legitimate interests and where not overridden by your data protection interests or fundamental rights and freedoms. Our legitimate interests include accepting and facilitating financial and personal support for the organization and completing the actions that you have requested by submitting information for a donation.

You can read more about EPIC’s work to defend donor privacy here.

Petitions, Events, and Campaigns

Personal Data Elements: When you sign on to petitions or campaigns or register for events, we will process your name (made public on these documents when you choose to provide them) and email address (not made public).

Purpose(s): We may use your email address to contact you for purposes related to the event, petition, or campaign. In the event that any information provided will be made public (such as when you sign a petition), we will notify you on the form prior to submission.

Processing Basis: Your personal data is processed regarding petitions, events, and campaigns solely as is necessary to our legitimate interests and where not overridden by your data protection interests or fundamental rights and freedoms. Our legitimate interests include facilitating your participation in the event or your support for the petition or campaign.

EPIC Email Alerts

Personal Data Element(s): In order to send you our EPIC Alert newsletter or other email notifications that you sign up for, we will process your email address. Please note that we do not require the email address you provide to be linked to an actual identity.

Purpose(s): We collect your email address in order to send you the EPIC Alert newsletter, send notices about EPIC activities, and request support for EPIC’s work. We will only send you our newsletter when you sign up to receive it by submitting your email address. You can unsubscribe from this newsletter at any time by clicking the “Unsubscribe” link contained in the newsletter email. You can also read the EPIC Alert by visiting the EPIC Alert archive at our web site if you prefer not to provide an email address. We do not enhance (link to other databases) our mailing list or require your actual name.

Processing Basis: We only process data necessary to our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. Our legitimate interests include educating subscribers and the public about emerging privacy and civil liberties issues, promoting EPIC’s activities, supporting EPIC, and providing you with information that you have requested. We have also deactivated tracking features in MailChimp (our email list vendor) and require “double opt-in” for subscriptions. We include links to modify or cancel your subscription in every message to the EPIC Alert mailing list.

Your Personal Data Rights

You have certain rights regarding your personal data, including the right to confirm whether or not we are processing your personal data. In the event you wish to view, receive a copy of, update, correct, or delete an email address, a donor record, or any other personal data in EPIC’s possession at any time for any reason, please contact privacy-request@epic.org to take those actions. If you feel that your rights are not being adequately respected or adhered to, you also have the right to lodge a complaint with your supervisory authority.

Third Parties

EPIC limits third party processing to the following, used only as strictly necessary to deliver the requested services:

  • Donations to EPIC are processed by PayPal and subject to their privacy policy: https://www.paypal.com/us/webapps/mpp/ua/privacy-full
  • Our newsletter and email list are processed by MailChimp and subject to their privacy policy: https://mailchimp.com/legal/privacy
  • Our website is hosted by Pantheon.io and they may have limited access to personal data when providing us with services. Their privacy policy is available here: https://pantheon.pactsafe.io/legal.html#contract-r1gwog2ui

Data Retention

We will retain any personal data that we process for as long as necessary to complete the purpose of processing. Once the purpose of processing has been completed, we delete raw user data after 18 months.

Data Transfer

In the event that you are providing your personal data to us from outside the United States, we want you to be aware that we make every effort to employ appropriate safeguards related to your data appropriate to the sensitivity of the data in question, but that there is a small chance that your data could be requested or intercepted by the U.S. government. As mentioned above, EPIC intends to challenge any subpoena or other legal process seeking access to personal data that we hold and to inform you of any such requests where we can legally do so. Your data is transferred to us as necessary for the performance of a contract between you and EPIC—namely, in order to allow EPIC to deliver to you the applicable service you have requested as described above. If you are an European Economic Area resident and wish to report any concerns or further exercise your rights, contact information for European data protection authorities can be found here. For residents of any other country concerned about our data transfer practices, please reach out to us with any questions at privacy-request@epic.org.

Questions?

For any other information about our privacy policy, please contact privacy-request@epic.org.

This policy was updated on October 28, 2021.